← 返回首页
fix: Removed usage of pull_request_target as much as possible to prevent security concerns by tmihalac · Pull Request #4549 · feast-dev/feast · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Resetting focus
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension .yml  (4) All 1 file type selected Only manifest files Viewed files
Conversations
Failed to load comments. Retry
Loading
Jump to
Jump to file
Failed to load files. Retry
Loading
Diff view
Unified
Split
Hide whitespace
Apply and reload
Show whitespace
Diff view
Unified
Split
Hide whitespace
Apply and reload
7 changes: 7 additions & 0 deletions .github/workflows/java_pr.yml
Show comments View file Edit file Delete file Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
- synchronize
- labeled

permissions:
pull-requests: read

jobs:
lint-java:
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
Expand All @@ -23,6 +26,7 @@ jobs:
# code from the PR.
ref: refs/pull/${{ github.event.pull_request.number }}/merge
submodules: recursive
persist-credentials: false
- name: Lint java
run: make lint-java

Expand All @@ -42,6 +46,7 @@ jobs:
# code from the PR.
ref: refs/pull/${{ github.event.pull_request.number }}/merge
submodules: recursive
persist-credentials: false
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
Expand Down Expand Up @@ -84,6 +89,7 @@ jobs:
- uses: actions/checkout@v4
with:
submodules: 'true'
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@v5
id: setup-python
Expand Down Expand Up @@ -120,6 +126,7 @@ jobs:
# code from the PR.
ref: refs/pull/${{ github.event.pull_request.number }}/merge
submodules: recursive
persist-credentials: false
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
Expand Down
8 changes: 2 additions & 6 deletions .github/workflows/lint_pr.yml
Show comments View file Edit file Delete file Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Original file line number Diff line number Diff line change
@@ -1,20 +1,16 @@
name: lint-pr

on:
pull_request_target:
pull_request:
types:
- opened
- edited
- synchronize

permissions:
# read-only perms specified due to use of pull_request_target in lieu of security label check
pull-requests: read

jobs:
validate-title:
if:
github.repository == 'feast-dev/feast'
github.event.pull_request.base.repo.full_name == 'feast-dev/feast'
name: Validate PR title
runs-on: ubuntu-latest
steps:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr_integration_tests.yml
Show comments View file Edit file Delete file Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
#concurrency:
# group: pr-integration-tests-${{ github.event.pull_request.number }}
# cancel-in-progress: true
permissions:
actions: write
pull-requests: read

jobs:
integration-test-python:
Expand Down Expand Up @@ -46,6 +49,7 @@ jobs:
# code from the PR.
ref: refs/pull/${{ github.event.pull_request.number }}/merge
submodules: recursive
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@v5
id: setup-python
Expand Down
12 changes: 5 additions & 7 deletions .github/workflows/pr_local_integration_tests.yml
Show comments View file Edit file Delete file Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,18 @@ name: pr-local-integration-tests
# This runs local tests with containerized stubs of online stores. This is the main dev workflow

on:
pull_request_target:
pull_request:
types:
- opened
- synchronize
- labeled

jobs:
integration-test-python-local:
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
if:
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&
github.repository == 'feast-dev/feast'
github.event.pull_request.base.repo.full_name == 'feast-dev/feast'
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
Expand All @@ -27,10 +26,9 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
# pull_request_target runs the workflow in the context of the base repo
# as such actions/checkout needs to be explicit configured to retrieve
# code from the PR.
ref: refs/pull/${{ github.event.pull_request.number }}/merge
repository: ${{ github.event.repository.full_name }} # Uses the full repository name
ref: ${{ github.ref }} # Uses the ref from the event
token: ${{ secrets.GITHUB_TOKEN }} # Automatically provided token
submodules: recursive
- name: Setup Python
uses: actions/setup-python@v5
Expand Down
Toggle all file notes Toggle all file annotations

Footer

© 2026 GitHub, Inc.